Overview:

Through our partnership with REN-ISAC and SANS*, MOREnet is able to obtain bulk discounts on SANS training for all our members. The End User training consists of short, high-quality video clips that are easily understandable and pertinent to situations that staff may encounter. You can see a list of the modules at http://www.securingthehuman.org/services/demo-training-lab[2].

SUPPORT IS ESSENTIAL: Security awareness teams are not getting the support they need to be successful. More than 50 percent of awareness personnel surveyed have a budget of $5,000 or less or don't know what their budget is. Less than 15 percent of awareness personnel are dedicated full-time to their jobs. While this is an improvement from last year's 10 percent, we are concerned that is still too low. In fact, 64 percent of people reported spending less than a quarter of their time on awareness. Finally, 35 percent report not having the executive support they need. Why is all of this important? Because the data shows a strong relationship between the amounts of support you have and the maturity of your security awareness program. We need to do a better job of educating leadership that security cannot be solved by technology alone; it must also address the human factor. Key steps to achieving this include demonstrating to leadership that you have a proven roadmap to creating a secure culture and the metrics to show leadership the impact your program is having.

SOFT SKILLS ARE LACKING: Last year, we reported that soft skills were lacking in security awareness personnel. By soft skills, we mean skills such as communications, change management, learning theory and behavior modeling. The data told the same story this year: more than 80 percent of security awareness personnel have a technical background, with skills such as debugging network traffic, building websites or securing a server. However, this also means that many security awareness teams don't understand the proven concepts and techniques in changing behavior and culture. In addition, we identified communications as one of the key soft skills lacking. By communications, we mean engaging employees with a meaningful message, delivering the right content to the right people, leveraging multiple communication methods and building a roadmap that pulls this all together. One successful approach is embedding someone from your communications department into your security team. A second option is to train your awareness team on the new skills they will need. A third option is to contract or hire someone with strong soft skills. Long story short, you not only need security expertise on your awareness team, but you need soft skills, starting with communications.

Security awareness is hard. Today's security awareness teams don't have the support, time or resources they need to be successful and/or are missing the skills and experience to effectively engage and train their organizations. At MOREnet, we're here to help. Simply email security@more.net[3] for more information on our cyber security operations team.